What to expect in a SOC 2 Engagement?

/ 7 minutes of reading

SOC stands for System and Organisation Controls and was designed by the American Institute of Certified Public Accountants (AICPA)

SOC 2® is the reporting standard used to describe how an organisation designs and operates its controls. The controls are described in the framework most commonly known as the Trust Services Criteria (TSC). 

SOC 2 are mentioned in various cybersecurity contexts, but many jave no idea what it is. Does it have anything to do with security operations? Much of the confusion about SOC 2® is because there is another acronym used in the world of cybersecurity – SOC – that refers to a Security Operations Centre.

The reality is that SOC 2® is more like ISO 27001, as it’s a security standard you use for running your business and can be externally certified so you can demonstrate to your customers, partners, or regulators you have a well-implemented security program.

Find out the difference between SOC 2 and ISO 27001 here.

Types of SOC 2 audit

 SOC 2 ® Type 1

The SOC 2® Type 1 report is generated to assess the design effectiveness i.e., the service has been created in such a way that it sufficiently addresses the intent of the control framework (i.e., Trust Services Criteria).

 SOC 2 ® Type 2

The SOC 2® Type 2 report assess the operational effectiveness i.e., the controls are being used in the way they were designed and sufficiently addresses the ongoing intent of the controls. 

The SOC 2® Type 2 report is generally not shared with anyone external to the given service provider, however if an organisation requires it, the report can be shared. 

Sekuro’s SOC 2® services ensure you save time, reduce cost and receive exceptional results.

Our SOC 2® services are end-to-end, offering a lifecycle of  SOC 2 ® Type 1 Service pre work, gap assessment, remediation services, the controls matrix and mapping exercises, service description and optimal consulting services. 

Further to the lifecycle approach, the Sekuro audit team will take over and drive the SOC 2 ® Type 2 Service test designs, the team will ensure that the controls are operating effectively prior to providing the required deliverables. Both the consulting and auditing teams at Sekuro have exceptional skills in ensuring your organisation guidance and direction throughout the SOC 2® process.

SOC 2 ® Type 1 Service

To demystify the process of achieving data security compliance we have developed a high-level approach / methodology in delivering
SOC 2® Type 1 services.

Sekuro’s Governance, Risk and Compliance (GRC) team assist the given organisation in the following:

  • Pre-work, which is in the form of a Gap Analysis to enhance the state of the service provider’s environment prior to conducting the SOC 2® audit.
  • Identifying boundaries including the environment, software, infrastructure, procedures and data.
  • Determining which of the Trust Services Criteria (TSC) principles to use and why that criteria has been selected (aside from the security principle as that is required).
  • Producing a Gap Assessment report.
  • Examining each of the selected TSC principles and conducting workshop style interviews with the relevant SMEs, that are most proficient in that principle. Hosting these workshops, enables the Sekuro consultant to understand the scope and the environment, and assists the given organisation in understanding their gaps.
  • Assisting in the remediation process to close the gaps with the service provider and turn the Gap Assessment into a Controls Matrix.
  • Developing an internal Services Description, which is a medium to high level overview of your organisation, the operations, risk assessment, management processes and relevant relationships, mostly stipulating the functional side of the business.
  • Together, the GRC consultants and auditors will work on the Assurance Strategy Document (ASD), which is a formal assurance document, requiring information regarding service provider contracts, details of the engagement, aspects of the TSC that are included in the audit, key risks and dates.

Further to this, the Sekuro Audit team will assist in the following: 

  • Host an audit kick off meeting, whereby the team determines and structures the timing, technical and procedural components of the audit along with the milestones and phases.
  • The audit team will use the Controls Matrix and the evidence (including all policies, documents and procedures) provided to conduct mini workshops in the form of tests to ensure the design of each control meets the intent of the business.
  • The audit team will develop work papers, worksheet steps detailing the design along with a new project dashboard and controls applicable for the engagement.
  • The audit team will prepare the draft report which includes the tests and the results of those tests.
  • Once the audit team has completed their design tests, the Certified Practising Accountant (CPA) will prepare the final deliverable, which is the assurance letter that is delivered to the given organisation, this letter is very succinct and states that the given organisation has been audited.

What is included in the SOC 2 ® Type 1 engagement?

The following deliverables are in scope for a Sekuro SOC 2® Type 1 engagement:

  • Engagement letter,
  • Gap Assessment,
  • Controls Matrix,
  • Services Description,
  • Assurance Strategy Document,
  • Signed Independence Checklists,
  • Type 1 Assurance Letter (audit letter)

The following activities are in scope for a Sekuro SOC 2 ® Type 1 engagement: 

  • Assistance with the pre-work, gap assessment and remediation of gaps.
  • Commitment with a respective chartered accountant on your behalf.
  • Kick off and scheduled meetings along with exit interviews and documented events.
  • Testing of the design effectiveness of your controls against the TSC.
  • Assurance letter that is delivered to the service provider, this letter is very succinctand states that the service provider has been audited.

SOC 2 ® Type 2 Service

SOC 2® Type 2 reporting points to a higher level of compliance and because it is another audit, we have devised a high-level methodology in delivering this service. 

Sekuro’s Governance, Risk and Compliance (GRC) team will assist the service provider in the following:

  • Preparation to determine the state of the environment during the design of the controls in the SOC 2® Type 1 report have been operating effectively. 
  • Expert advice prior to the commencement of the audit.
  • Ensure that regulatory requirements, vendor requirements and contractual requirements are met.
  •  Addresses monitoring of attempts at unauthorised access.
  • Confirms the existence of detailed audit trails. 

Further to this, the Sekuro Audit team will assist in the following: 

  • Host an audit kick off meeting, whereby the team determines and structures the timing, technical and procedural components of the audit along with the milestones and phases.
  • The audit team will verify the controls from the SOC 2® Type 1 are operational and work in an appropriate manner over 6 to 12 months. Determines which controls have been executed and operating effectively.
  • Our CPA and audit team will deliver a SOC 2® Type 2 audit and report on the design of the controls and the effectiveness over time. It attests that the organisation is meeting the selected criteria.
  • Report on the Services Description, suitability of the design and confirm the results of the tests performed by the audit team.

What is included in the SOC 2 ® Type 2 engagement?

The following deliverables are in scope for a Sekuro SOC 2® Type 2 engagement:

  • Engagement letter,
  • Controls Matrix,
  • Services Description,
  • Assurance Strategy Document,
  • Signed Independence Checklists,
  • Type 2 Assurance Letter (audit letter)

The following services are in scope for a Sekuro SOC 2 ® Type 2 engagement: 

  • Commitment with a respective chartered accountant on your behalf, we choose an accountant that is specific to the needs of your business, depending on the agility and longevity of the given organisation.
  • Kick off and scheduled meetings along with exit interviews and documented events
  • Design and testing of the operational effectiveness of your controls that have been in place for a minimum of six months against the controls and principles the organisations has selected from the TSC.
  • Assurance letter that is delivered to the given organisation, this letter is very succinct and states that the given organisation has been audited and has certain controls in place to ensure the business is operating effectively.

How to prepare/plan for your service?

Are you ready to get SOC 2® certified? Follow these steps to begin your organisation’s journey:

  1. Ensure that you are a service provider, store customer data in the cloud and require compliance to security controls.
  2. Take a look at the Trust Services Criteria (TSC) and determine the controls and principles you want to implement.
  3. Ensure that you have resources and time ready for the duration of the SOC 2® engagement.
  4. Prepare and create policies and procedures or update all internal processes, employee training and education and organise these documents into a shared file.
For more information or a free walkthrough of our SOC 2® approach and methodology, contact Sekuro today to talk to an expert.
Scroll to Top